Skip to main content

Mondoo

Vulnerability Management
Technology
Services

Solutions

Financial Services
Manufacturing
Healthcare

Resources

Blog
Vulnerability Database
Documentation
GitHub

Company

About
Careers
Partners
Contact

Legal

Privacy
Terms
Imprint

© 2026 Mondoo, Inc.

Log in Get Assessment

Vulnerability IntelligenceGHSA-35pf-37c6-jxjv

GHSA-35pf-37c6-jxjv

HIGH7.6

PrestaShop has multiple stored XSS vulnerabilities via unprotected Template variables

Published Mar 25, 2026

Modified 3 weeks ago

Fix available

Details

Impact

Multiple stored Cross-Site Scripting (stored XSS) vulnerabilities in the BO: an attacker who can inject data into the database, via limited back-office access or a previously existing vulnerability, can exploit unprotected variables in back-office templates.

Patches

Patched on 8.2.5 and 9.1.0

Workarounds

None

References

None

Affected Packages

prestashop/prestashop

Packagist

Fixed in:

8.2.5

prestashop/prestashop

Packagist

Fixed in:

9.1.0

References

https://github.com/PrestaShop/PrestaShop

https://github.com/PrestaShop/PrestaShop/releases/tag/8.2.5

https://github.com/PrestaShop/PrestaShop/releases/tag/9.1.0

https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-35pf-37c6-jxjv

https://github.com/advisories/GHSA-35pf-37c6-jxjv

https://nvd.nist.gov/vuln/detail/CVE-2026-33673

Aliases

CVSS Analysis

CVSS v3.1

7.6

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

HighAC:H

Privileges Required

HighPR:H

User Interaction

RequiredUI:R

Scope

Scope

ChangedS:C

Impact

Confidentiality

HighC:H

Integrity

HighI:H

Availability

HighA:H

7.6/CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

Related

Ecosystems

Timeline

PublishedMar 25, 2026

ModifiedMar 27, 2026

GHSA-35pf-37c6-jxjv | Mondoo Vulnerability Intelligence